CVE-2026-24513
published 2026-02-03CVE-2026-24513: A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a…
PriorityP414low3.1CVSS 3.1
AVNACHPRLUINSUCLINAN
EPSS
0.28%
19.5th percentile
A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration.
If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails.
Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| k8s.io | ingress-nginx | >= 0 < 1.13.7 | 1.13.7 |
| k8s.io | ingress-nginx | >= 1.14.0 < 1.14.3 | 1.14.3 |
| kubernetes | ingress-nginx | < 1.13.7 | 1.13.7 |
| kubernetes | ingress-nginx | < 1.14.3 | 1.14.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ingress-nginx has Improper Check for Unusual or Exceptional Conditions in k8s.io/ingress-nginx
osv·2026-02-05
CVE-2026-24513 ingress-nginx has Improper Check for Unusual or Exceptional Conditions in k8s.io/ingress-nginx
ingress-nginx has Improper Check for Unusual or Exceptional Conditions in k8s.io/ingress-nginx
ingress-nginx has Improper Check for Unusual or Exceptional Conditions in k8s.io/ingress-nginx.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: k8s.io/ingress-nginx before v1.13.7, from v1.14.0 before v1.14.3.
OSV
ingress-nginx has Improper Check for Unusual or Exceptional Conditions
osv·2026-02-04
CVE-2026-24513 [LOW] ingress-nginx has Improper Check for Unusual or Exceptional Conditions
ingress-nginx has Improper Check for Unusual or Exceptional Conditions
A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration.
If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails.
Note that the built-in custom-errors backend works correctly. Triggering this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
GHSA
ingress-nginx has Improper Check for Unusual or Exceptional Conditions
ghsa·2026-02-04
CVE-2026-24513 [LOW] CWE-754 ingress-nginx has Improper Check for Unusual or Exceptional Conditions
ingress-nginx has Improper Check for Unusual or Exceptional Conditions
A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration.
If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails.
Note that the built-in custom-errors backend works correctly. Triggering this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-24512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24512 [HIGH] CVE-2026-24512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24512 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
rules.http.paths.path
Source : NVD
## 8.8
Score
Published February 3, 2026
Severity HIGH
CNA Score 8.8
High-profile Vulnerability Yes
Affected Technologies
Ingress NGINX Controller (community-driven)
MinimOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ingress-nginx-controller-1.14
k8s.io/ingress-nginx
Sources
GoLang Severity HIGH Has Fix Added at: Feb 08, 2026
MinimOS Severity HIGH Has Fix Added at: Feb 08, 2026
Linux Severity HIGH Has Fix Added at: Feb 03, 2026
Windows Severity HIGH Has Fix Added
Wiz
CVE-2026-3288 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-3288 [HIGH] CVE-2026-3288 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3288 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
nginx.ingress.kubernetes.io/rewrite-target
Source : NVD
## 8.8
Score
Published March 9, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Ingress NGINX Controller (community-driven)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kubernetes:ingress-nginx
Sources
Linux Severity HIGH Has Fix Added at: Mar 10, 2026
Windows Severity HIGH Has Fix Added at: Mar 10, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2025-15566 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-15566 [HIGH] CVE-2025-15566 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15566 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
nginx.ingress.kubernetes.io/auth-proxy-set-headers
Source : NVD
## 8.8
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Ingress NGINX Controller (community-driven)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kubernetes:ingress-nginx
Sources
NVD
Linux Severity HIGH Has Fix Added at: Feb 08, 2026
Windows Severity HIGH Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitabl
Wiz
CVE-2026-24513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24513 [HIGH] CVE-2026-24513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24513 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
auth-url
auth-url
Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
Source : NVD
## 3.1
Score
Published February 3, 2026
Severity LOW
CNA Score 3.1
High-profile Vulnerability Yes
Affected Technologies
Ingress NGINX Controller (community-driven)
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kubernetes:ingress-nginx
k8s.io/ingress-nginx
Sources
GoLang Seve
Wiz
CVE-2026-24514 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24514 [HIGH] CVE-2026-24514 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24514 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.
Source : NVD
## 6.5
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.5
High-profile Vulnerability Yes
Affected Technologies
Ingress NGINX Controller (community-driven)
MinimOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-4342 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-4342 [HIGH] CVE-2026-4342 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4342 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Source : NVD
## 8.8
Score
Published March 19, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Ingress NGINX Controller (community-driven)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Pr
Wiz
CVE-2026-1580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-1580 [HIGH] CVE-2026-1580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1580 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
nginx.ingress.kubernetes.io/auth-method
Source : NVD
## 8.8
Score
Published February 3, 2026
Severity HIGH
CNA Score 8.8
High-profile Vulnerability Yes
Affected Technologies
Ingress NGINX Controller (community-driven)
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kubernetes:ingress-nginx
k8s.io/ingress-nginx
Sources
GoLang Severity HIGH Has Fix Added at: Feb 08, 2026
MinimOS Severity HIGH Has Fix Added at: Feb 08, 2026
Linux Severity HIGH Has Fix Added at: Feb 03, 2026
Windows Severit
2026-02-03
Published